Merge pull request #9574 from hmac/hmac/action-cable-logger

Ruby: More Rails modeling

ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected

@@ -3,11 +3,14 @@ edges
 | UrlRedirect.rb:14:17:14:22 | call to params :  | UrlRedirect.rb:14:17:14:43 | call to fetch |
 | UrlRedirect.rb:19:17:19:22 | call to params :  | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash |
 | UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:24:17:24:37 | call to filter_params |
-| UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:63:21:63:32 | input_params :  |
+| UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:88:21:88:32 | input_params :  |
 | UrlRedirect.rb:34:20:34:25 | call to params :  | UrlRedirect.rb:34:20:34:31 | ...[...] :  |
 | UrlRedirect.rb:34:20:34:31 | ...[...] :  | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" |
 | UrlRedirect.rb:58:17:58:22 | call to params :  | UrlRedirect.rb:58:17:58:28 | ...[...] |
-| UrlRedirect.rb:63:21:63:32 | input_params :  | UrlRedirect.rb:64:5:64:29 | call to permit :  |
+| UrlRedirect.rb:63:38:63:43 | call to params :  | UrlRedirect.rb:63:38:63:49 | ...[...] |
+| UrlRedirect.rb:68:38:68:43 | call to params :  | UrlRedirect.rb:68:38:68:49 | ...[...] |
+| UrlRedirect.rb:73:25:73:30 | call to params :  | UrlRedirect.rb:73:25:73:36 | ...[...] |
+| UrlRedirect.rb:88:21:88:32 | input_params :  | UrlRedirect.rb:89:5:89:29 | call to permit :  |
 nodes
 | UrlRedirect.rb:4:17:4:22 | call to params | semmle.label | call to params |
 | UrlRedirect.rb:9:17:9:22 | call to params :  | semmle.label | call to params :  |
@@ -23,10 +26,16 @@ nodes
 | UrlRedirect.rb:34:20:34:31 | ...[...] :  | semmle.label | ...[...] :  |
 | UrlRedirect.rb:58:17:58:22 | call to params :  | semmle.label | call to params :  |
 | UrlRedirect.rb:58:17:58:28 | ...[...] | semmle.label | ...[...] |
-| UrlRedirect.rb:63:21:63:32 | input_params :  | semmle.label | input_params :  |
-| UrlRedirect.rb:64:5:64:29 | call to permit :  | semmle.label | call to permit :  |
+| UrlRedirect.rb:63:38:63:43 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:63:38:63:49 | ...[...] | semmle.label | ...[...] |
+| UrlRedirect.rb:68:38:68:43 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:68:38:68:49 | ...[...] | semmle.label | ...[...] |
+| UrlRedirect.rb:73:25:73:30 | call to params :  | semmle.label | call to params :  |
+| UrlRedirect.rb:73:25:73:36 | ...[...] | semmle.label | ...[...] |
+| UrlRedirect.rb:88:21:88:32 | input_params :  | semmle.label | input_params :  |
+| UrlRedirect.rb:89:5:89:29 | call to permit :  | semmle.label | call to permit :  |
 subpaths
-| UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:63:21:63:32 | input_params :  | UrlRedirect.rb:64:5:64:29 | call to permit :  | UrlRedirect.rb:24:17:24:37 | call to filter_params |
+| UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:88:21:88:32 | input_params :  | UrlRedirect.rb:89:5:89:29 | call to permit :  | UrlRedirect.rb:24:17:24:37 | call to filter_params |
 #select
 | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | Untrusted URL redirection due to $@. | UrlRedirect.rb:4:17:4:22 | call to params | a user-provided value |
 | UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params :  | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection due to $@. | UrlRedirect.rb:9:17:9:22 | call to params | a user-provided value |
@@ -35,3 +44,6 @@ subpaths
 | UrlRedirect.rb:24:17:24:37 | call to filter_params | UrlRedirect.rb:24:31:24:36 | call to params :  | UrlRedirect.rb:24:17:24:37 | call to filter_params | Untrusted URL redirection due to $@. | UrlRedirect.rb:24:31:24:36 | call to params | a user-provided value |
 | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | UrlRedirect.rb:34:20:34:25 | call to params :  | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | Untrusted URL redirection due to $@. | UrlRedirect.rb:34:20:34:25 | call to params | a user-provided value |
 | UrlRedirect.rb:58:17:58:28 | ...[...] | UrlRedirect.rb:58:17:58:22 | call to params :  | UrlRedirect.rb:58:17:58:28 | ...[...] | Untrusted URL redirection due to $@. | UrlRedirect.rb:58:17:58:22 | call to params | a user-provided value |
+| UrlRedirect.rb:63:38:63:49 | ...[...] | UrlRedirect.rb:63:38:63:43 | call to params :  | UrlRedirect.rb:63:38:63:49 | ...[...] | Untrusted URL redirection due to $@. | UrlRedirect.rb:63:38:63:43 | call to params | a user-provided value |
+| UrlRedirect.rb:68:38:68:49 | ...[...] | UrlRedirect.rb:68:38:68:43 | call to params :  | UrlRedirect.rb:68:38:68:49 | ...[...] | Untrusted URL redirection due to $@. | UrlRedirect.rb:68:38:68:43 | call to params | a user-provided value |
+| UrlRedirect.rb:73:25:73:36 | ...[...] | UrlRedirect.rb:73:25:73:30 | call to params :  | UrlRedirect.rb:73:25:73:36 | ...[...] | Untrusted URL redirection due to $@. | UrlRedirect.rb:73:25:73:30 | call to params | a user-provided value |

ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.rb

@@ -53,11 +53,36 @@ class UsersController < ActionController::Base
 
   # BAD
   # The same as `create1` but this is reachable via a GET request, as configured
-  # by the routes at the top of this file.
+  # by the routes at the bottom of this file.
   def route9
     redirect_to params[:key]
   end
 
+  # BAD
+  def route10
+    redirect_back fallback_location: params[:key]
+  end
+
+  # BAD
+  def route11
+    redirect_back fallback_location: params[:key], allow_other_host: true
+  end
+
+  # BAD
+  def route12
+    redirect_back_or_to params[:key]
+  end
+
+  # GOOD
+  def route13
+    redirect_back fallback_location: params[:key], allow_other_host: false
+  end
+
+  # GOOD
+  def route14
+    redirect_back_or_to params[:key], allow_other_host: false
+  end
+
   private
 
   def filter_params(input_params)